Commit 81ad6275 authored by Stefan Eissing's avatar Stefan Eissing
Browse files

Merge of... 

Merge of 1849296,1852038,1852101,1852339,1853171,1853967,1854365,1854963,1854964,1855295,1855411 from trunk:

  *) mod_http2: when SSL renegotiation is inhibited and a 403 ErrorDocument is
     in play, the proper HTTP/2 stream reset did not trigger with H2_ERR_HTTP_1_1_REQUIRED.
     Fixed. [Michael Kaufmann] 

  *) mod_http2: new configuration directive: `H2Padding numbits` to control 
     padding of HTTP/2 payload frames. 'numbits' is a number from 0-8,
     controlling the range of padding bytes added to a frame. The actual number
     added is chosen randomly per frame. This applies to HEADERS, DATA and PUSH_PROMISE
     frames equally. The default continues to be 0, e.g. no padding. [Stefan Eissing] 
  
  *) mod_http2: ripping out all the h2_req_engine internal features now that mod_proxy_http2
     has no more need for it. Optional functions are still declared but no longer implemented.
     While previous mod_proxy_http2 will work with this, it is recommeneded to run the matching
     versions of both modules. [Stefan Eissing]
  
  *) mod_proxy_http2: changed mod_proxy_http2 implementation and fixed several bugs which
     resolve PR63170. The proxy module does now a single h2 request on the (reused)
     connection and returns. [Stefan Eissing]
  
  *) mod_http2/mod_proxy_http2: proxy_http2 checks correct master connection aborted status 
     to trigger immediate shutdown of backend connections. This is now always signalled
     by mod_http2 when the the session is being released. 
     proxy_http2 now only sends a PING frame to the backend when there is not already one
     in flight. [Stefan Eissing]

  *) mod_proxy_http2: fixed an issue where a proxy_http2 handler entered an infinite 
     loop when encountering certain errors on the backend connection. 
     See <https://bz.apache.org/bugzilla/show_bug.cgi?id=63170>. [Stefan Eissing]

  *) mod_http2: Configuration directives H2Push and H2Upgrade can now be specified per 
     Location/Directory, e.g. disabling PUSH for a specific set of resources. [Stefan Eissing]

  *) mod_http2: HEAD requests to some module such as mod_cgid caused the stream to
     terminate improperly and cause a HTTP/2 PROTOCOL_ERROR. 
     Fixes <https://github.com/icing/mod_h2/issues/167>. [Michael Kaufmann]




git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1855431 13f79535-47bb-0310-9956-ffa450edef68
parent d23438e8

CHANGES

+36 −0
Original line number Diff line number Diff line 
                                                         -*- coding: utf-8 -*-

Changes with Apache 2.4.39



  *) mod_http2: when SSL renegotiation is inhibited and a 403 ErrorDocument is

     in play, the proper HTTP/2 stream reset did not trigger with H2_ERR_HTTP_1_1_REQUIRED.

     Fixed. [Michael Kaufmann] 



  *) mod_http2: new configuration directive: `H2Padding numbits` to control 

     padding of HTTP/2 payload frames. 'numbits' is a number from 0-8,

     controlling the range of padding bytes added to a frame. The actual number

     added is chosen randomly per frame. This applies to HEADERS, DATA and PUSH_PROMISE

     frames equally. The default continues to be 0, e.g. no padding. [Stefan Eissing] 

  

  *) mod_http2: ripping out all the h2_req_engine internal features now that mod_proxy_http2

     has no more need for it. Optional functions are still declared but no longer implemented.

     While previous mod_proxy_http2 will work with this, it is recommeneded to run the matching

     versions of both modules. [Stefan Eissing]

  

  *) mod_proxy_http2: changed mod_proxy_http2 implementation and fixed several bugs which

     resolve PR63170. The proxy module does now a single h2 request on the (reused)

     connection and returns. [Stefan Eissing]

  

  *) mod_http2/mod_proxy_http2: proxy_http2 checks correct master connection aborted status 

     to trigger immediate shutdown of backend connections. This is now always signalled

     by mod_http2 when the the session is being released. 

     proxy_http2 now only sends a PING frame to the backend when there is not already one

     in flight. [Stefan Eissing]



  *) mod_proxy_http2: fixed an issue where a proxy_http2 handler entered an infinite 

     loop when encountering certain errors on the backend connection. 

     See <https://bz.apache.org/bugzilla/show_bug.cgi?id=63170>. [Stefan Eissing]



  *) mod_http2: Configuration directives H2Push and H2Upgrade can now be specified per 

     Location/Directory, e.g. disabling PUSH for a specific set of resources. [Stefan Eissing]



  *) mod_http2: HEAD requests to some module such as mod_cgid caused the stream to

     terminate improperly and cause a HTTP/2 PROTOCOL_ERROR. 

     Fixes <https://github.com/icing/mod_h2/issues/167>. [Michael Kaufmann]



  *) http: Fix possible empty response with mod_ratelimit for HEAD requests.

     PR 63192. [Yann Ylavic]

docs/manual/mod/mod_http2.xml

+47 −4
Original line number Diff line number Diff line
@@ -244,6 +244,8 @@ H2Direct on 
        <contextlist>

            <context>server config</context>

            <context>virtual host</context>

            <context>directory</context>

            <context>.htaccess</context>

        </contextlist>

        <compatibility>Available in version 2.4.18 and later.</compatibility>
@@ -269,7 +271,8 @@ H2Direct on 
            </p>

            <p> 

                Link headers in responses are either set by the application or

                can be configured via <module>mod_headers</module> as:

                can be configured via <directive>H2PushResource</directive> or

                using <module>mod_headers</module> as:

            </p>

            <example><title>mod_headers example</title>

                <highlight language="config">
@@ -286,9 +289,10 @@ H2Direct on 
                twice or more to one client. Use with care.

            </p>

            <p> 

                HTTP/2 server pushes are enabled by default. This directive 

                allows it to be switch off on all resources of this server/virtual

                host.

                HTTP/2 server pushes are enabled by default. On a server or virtual host,

                you may enable/disable this feature for any connection to the host. In addition,

                you may disable PUSH for a set of resources in a Directory/Location. This controls

                which resources may cause a PUSH, not which resources may be sent via PUSH.

            </p>

            <example><title>Example</title>

                <highlight language="config">
@@ -480,6 +484,8 @@ H2PushPriority text/css interleaved # weight 256 default 
        <contextlist>

            <context>server config</context>

            <context>virtual host</context>

            <context>directory</context>

            <context>.htaccess</context>

        </contextlist>

        

        <usage>
@@ -938,4 +944,41 @@ H2TLSCoolDownSecs 0 
        </usage>

    </directivesynopsis>

    

    <directivesynopsis>

        <name>H2Padding</name>

        <description>Determine the range of padding bytes added to payload frames</description>

        <syntax>H2Padding numbits</syntax>

        <default>H2Padding 0</default>

        <contextlist>

            <context>server config</context>

            <context>virtual host</context>

        </contextlist>

        <compatibility>Available in version 2.4.39 and later.</compatibility>

        

        <usage>

            <p>

                With the default 0, no padding bytes are added to any payload

                frames, e.g. HEADERS, DATA and PUSH_PROMISE. This is the behaviour

                of previous versions. It means that under certain conditions, an

                observer of network traffic can see the length of those frames 

                in the TLS stream.

            </p>

            <p>

                When configuring numbits of 1-8, a random number in range

                [0, 2^numbits[ are added to each frame. The random value is chosen

                independantly for each frame that the module sends back to the client.

            </p>

            <p>

                While more padding bytes give better message length obfuscation, they

                are also additional traffic. The optimal number therefore depends on

                the kind of web traffic the server carries.

            </p>

            <p>

                The default of 0, e.g. no padding, was chosen for maximum backward

                compatibility. There might be deployments where padding bytes are

                unwanted or do harm. The most likely cause would be a client that

                has a faults implementation.

            </p>

        </usage>

    </directivesynopsis>

</modulesynopsis>

modules/http2/config2.m4

+0 −1
Original line number Diff line number Diff line
@@ -31,7 +31,6 @@ h2_from_h1.lo dnl 
h2_h2.lo dnl

h2_headers.lo dnl

h2_mplx.lo dnl

h2_ngn_shed.lo dnl

h2_push.lo dnl

h2_request.lo dnl

h2_session.lo dnl

modules/http2/h2.h

+4 −3
Original line number Diff line number Diff line
@@ -48,12 +48,12 @@ extern const char *H2_MAGIC_TOKEN; 
#define H2_HEADER_PATH_LEN   5

#define H2_CRLF             "\r\n"



/* Max data size to write so it fits inside a TLS record */

#define H2_DATA_CHUNK_SIZE          ((16*1024) - 100 - 9) 



/* Size of the frame header itself in HTTP/2 */

#define H2_FRAME_HDR_LEN            9

 

/* Max data size to write so it fits inside a TLS record */

#define H2_DATA_CHUNK_SIZE          ((16*1024) - 100 - H2_FRAME_HDR_LEN) 



/* Maximum number of padding bytes in a frame, rfc7540 */

#define H2_MAX_PADLEN               256

/* Initial default window size, RFC 7540 ch. 6.5.2 */
@@ -162,5 +162,6 @@ typedef int h2_stream_pri_cmp(int stream_id1, int stream_id2, void *ctx); 
#define H2_FILTER_DEBUG_NOTE    "http2-debug"

#define H2_HDR_CONFORMANCE      "http2-hdr-conformance"

#define H2_HDR_CONFORMANCE_UNSAFE      "unsafe"

#define H2_PUSH_MODE_NOTE       "http2-push-mode"



#endif /* defined(__mod_h2__h2__) */

modules/http2/h2_alt_svc.c

+6 −6
Original line number Diff line number Diff line
@@ -75,7 +75,7 @@ h2_alt_svc *h2_alt_svc_parse(const char *s, apr_pool_t *pool) 


static int h2_alt_svc_handler(request_rec *r)

{

    const h2_config *cfg;

    apr_array_header_t *alt_svcs;

    int i;

    

    if (r->connection->keepalives > 0) {
@@ -87,8 +87,8 @@ static int h2_alt_svc_handler(request_rec *r) 
        return DECLINED;

    }

    

    cfg = h2_config_sget(r->server);

    if (r->hostname && cfg && cfg->alt_svcs && cfg->alt_svcs->nelts > 0) {

    alt_svcs = h2_config_alt_svcs(r);

    if (r->hostname && alt_svcs && alt_svcs->nelts > 0) {

        const char *alt_svc_used = apr_table_get(r->headers_in, "Alt-Svc-Used");

        if (!alt_svc_used) {

            /* We have alt-svcs defined and client is not already using
@@ -99,7 +99,7 @@ static int h2_alt_svc_handler(request_rec *r) 
            const char *alt_svc = "";

            const char *svc_ma = "";

            int secure = h2_h2_is_tls(r->connection);

            int ma = h2_config_geti(cfg, H2_CONF_ALT_SVC_MAX_AGE);

            int ma = h2_config_rgeti(r, H2_CONF_ALT_SVC_MAX_AGE);

            if (ma >= 0) {

                svc_ma = apr_psprintf(r->pool, "; ma=%d", ma);

            }
@@ -107,8 +107,8 @@ static int h2_alt_svc_handler(request_rec *r) 
                          "h2_alt_svc: announce %s for %s:%d", 

                          (secure? "secure" : "insecure"), 

                          r->hostname, (int)r->server->port);

            for (i = 0; i < cfg->alt_svcs->nelts; ++i) {

                h2_alt_svc *as = h2_alt_svc_IDX(cfg->alt_svcs, i);

            for (i = 0; i < alt_svcs->nelts; ++i) {

                h2_alt_svc *as = h2_alt_svc_IDX(alt_svcs, i);

                const char *ahost = as->host;

                if (ahost && !apr_strnatcasecmp(ahost, r->hostname)) {

                    ahost = NULL;